Phishing Drills

Eweek has an interesting article on Phishing Drills. As the article points out, this isn’t a new concept, but providing the drill.as a service makes it a lot easier to implement. phishme.com is a new service (not yet available) from Intrepidus. Its a paid service that allows you to set up a mock phishing exercise to evaluate your employees response to phishing and educate them if they fail.
It looks good, a flash demo on the site shows reports on how many recipients clicked the link and how many actually attempted to input information at the “phishing” site.
I find myself wondering a couple of things. Will they differentiate people who followed the link using a text browser from those who used a regular browser. That would indicate that they are investigating the link rather than falling for it. I’m also wondering if this test would run into problems with existing defenses. If I have to whitelist their sending IP that will show up in the mail headers. The users would then have an affirmative defense that they checked the source of the email and saw it was whitelisted.